When They Go Low: 


Automated Replacement of Low-level Functions in 
Ethereum Smart Contracts 


Rui Xi, Karthik Pattabiraman 





Department of Electrical and Computer Engineering 
University of British Columbia (UBC) 





Evil functions in Programming Languages 





evaLl() in JavaScript & Python, 
Reflective calls in Java... 


Similar thing happens on Solidity, but with greater financial loss: 


42.7 ether lost due to unchecked return value after send() (2016) 


Motivation 





Solidity community developed guidelines to avoid these bad practises. 
Many vulnerabilities are originated from bad practises (studied in 
Securify and Mythril). 


End Goal: Enforce Solidity guidelines. 


Define Low-level Functions 


Based on three criteria (solution, exploit, syntax), 

11 out of 21 warnings in Solidity documentation are selected. 
e Deprecated send() (DS) 

e Low-level call() (LC) 

e Inline Assembly (IA) 


@ Warning 


Before version 0.5.0 aright shift x >» y fornegative x was equivalent to the mathematical 
expression x / 2**y rounded towards zero, i.e., right shifts used rounding up (towards zero) 
instead of rounding down (towards negative infinity). 





Empirical Study 


Dataset Date #contracts % use low-level 
functions 


Base 2016-2019 | 149,363 14% 


Recent 2019-2021 170,304 38% 


% replaceable in low-level 
function use 


75% 


77% 


Developers seem to not follow guidelines after it published. 





Trivial Replacement? 


In Documentation: 





Categories Before After 

Deprecated send() | receiver.send(1 ether) ; receiver.transfer(1 ether) ; 

In Reality: 

Home-grown if(!receiver.send(1 ether))throw; else{...} 2 

Deprecated send () 

encapsulation require(!receiver.send(1 ether), “oops!”); 72 
return receiver.send(1 ether); ae 


One replacement does not fit all. 


Methodology 





Source code Replaced Source code 
if (!receiver.send( 
1 ether)){ 
throw; } 
else{...} 







receiver.transfer ( 


AST replacing 1 ether) ; 


GoHigh’s AST 
pattern database 


fi 


Evaluation Results 


1. RQ: Patterns cover all low-level function contract? 


a. Yes. GoHigh’s patterns cover 100% of the cases in the Recent Set. 
2. RQ: Replacement break syntax? 


a. No. 100% pass compile, and 97% get less or same warnings. 
3. RQ: Replaced version identical to the original? 


a. Yes. For cases we can verify, all yield same contract states. 





Takeaway 





1. The majority use of low-level functions are gratuitous and 
replaceable. 

2. Developers seem to not follow guidelines after it published. 

3. GoHigh works consistently well on both the base and the recent 
dataset. 


Thank you for watching! 


GitHub: https://github.com/DependableSystemsLab/GoHigh 
Email: ruixi801@ece.ubc.ca 


